3
3 Security Concerns key concerns are confidentiality and timeliness to provide confidentiality one must encrypt identification and session key info which requires the use of previously shared private or public keys need timeliness to prevent replay attacks. provided by using sequence numbers or timestamps or challenge/response

4
4 KERBEROS In Greek mythology, a many headed dog, the guardian of the entrance of Hades

5
5 KERBEROS Users wish to access services on servers. Three threats exist: User pretend to be another user. User alter the network address of a workstation. User eavesdrop on exchanges and use a replay attack.

6
6 KERBEROS Provides a centralized authentication server to authenticate users to servers and servers to users. Relies on conventional encryption, making no use of public-key encryption Two versions: version 4 and 5 Version 4 makes use of DES

9
9 Problems with the simple dialogue Password in clear text Solution: Encrypt the password Need to authenticate on each request Solution: Let a ticket have a lifetime Need to authenticate to each new server Solution: Split the Kerberos server up in two parts, one Authentication Server (AS) and one Ticket Granting Server (TGS).

11
11 Problems with the better dialogue Problem 1, Lifetime associated with the ticket-granting ticket If too short repeatedly asked for password If too long greater opportunity to replay The threat is that an opponent will steal the ticket and use it before it expires. Problem 2, a rouge server can give incorrect credentials

19
19 Kerberos - in practice Currently have two Kerberos versions: 4 : restricted to a single realm 5 : allows inter-realm authentication Kerberos v5 is an Internet standard specified in RFC1510, and used by many utilities To use Kerberos: need to have a KDC on your network need to have Kerberized applications running on all participating systems

20
20 X.509 Authentication Service Distributed set of servers that maintains a database about users. Each certificate contains the public key of a user and is signed with the private key of a CA. Is used in e.g. S/MIME, IP Security, SSL/TLS and SET. RSA is recommended to use.

21
21 X.509 Formats

22
22 Typical Digital Signature Approach

23
23 Obtaining a Users Certificate Characteristics of certificates generated by CA: Any user with access to the public key of the CA can recover the user public key that was certified. No part other than the CA can modify the certificate without this being detected.

24
24 X.509 CA Hierarchy

25
25 Revocation of Certificates Reasons for revocation: The users secret key is assumed to be compromised. The user is no longer certified by this CA. The CAs certificate is assumed to be compromised.